Hi Chris, On 15/04/15 15:18, Chris Ross wrote: > I’m experienced with UNIX/BSD networking, but this is my first effort with > OpenVPN. I’ve got openvpn 2.3.6 running on a NetBSD router, and ran through > a by-hand version of the steps in easy-rsa to generate server and client > certificates. I have a Mac OS X client running Tunnelblick which has openvpn > 2.3.6 inside of it. > > My configs are very close to the stock examples, except that I’ve set them > to use TCP instead of UDP with tun, and I set the server sides user and group > to use nobody. I’m also trying to use IPv6 inside of the VPN, but that’s a > secondary detail at this point. > > I can get the TCP connection to establish, but when Tunnelblick is > reporting an attempt to authenticate, it just fails and retries over and > over. The logs on the server side show: > > Apr 14 16:59:15 bifröst openvpn[10483]: TCP connection established with > [AF_INET]A.B.D.C:63007 > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 TLS: Initial packet > from [AF_INET]A.B.D.C:63007, sid=c8fff105 88ece256 > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 TLS_ERROR: BIO read > tls_read_plaintext error: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 TLS Error: TLS object > -> incoming plaintext read error > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 TLS Error: TLS > handshake failed > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 Fatal TLS error > (check_tls_errors_co), restarting > Apr 14 16:59:16 bifröst openvpn[10483]: A.B.D.C:63007 SIGUSR1[soft,tls-error] > received, client-instance restarting > > …and these just loop over and over until I interrupt the clients attempts. > Have I failed to set up my certificates properly? Have I failed to > configure the server and/or client properly? > > I can attach configs, or client logs, if that would help. Mostly, I’m > just looking for some help, as my first pass of googling for answers haven’t > yielded anything that look like the right answer. I’ve found a few things > that are close, but not yielding any suggestions or solutions that I was able > to understand and draw a solution for myself from. > > it's the line SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
which is "interesting" here: make sure you use the same set of tls-ciphers on both ends. What's in your server and client config ? If nothing is specified then it should "just work" . Better yet, post your entire (sanitized) server config so we can take a look at it. That will help greatly in troubleshooting the issue. HTH, JJK ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
